From 0872216dbb00cf96167f4d21091913320ae7fdab Mon Sep 17 00:00:00 2001 From: "jerry.lin" Date: Thu, 8 Jun 2023 10:26:49 +0800 Subject: [PATCH 1/2] init github actions --- .github/workflows/docker.yaml | 67 +++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/docker.yaml diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..eeb280e --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,67 @@ +name: docker + +on: + push: + tags: + - 'v*' + schedule: + - cron: "0 0 * * *" + +env: + REGISTRY: docker.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Login to Registry ${{ env.REGISTRY }} + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + - + name: Build and export to Docker + uses: docker/build-push-action@v4 + with: + context: . + load: true + tags: ${{ steps.meta.outputs.tags }} + - + name: Scan cves + id: docker-scout + uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + dockerhub-user: ${{ secrets.DOCKER_USERNAME }} + dockerhub-password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Build and push + if: ${{ success() && (github.event_name != 'schedule') }} + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} From ddaa852672d345003d354b8ba9932529ff50794c Mon Sep 17 00:00:00 2001 From: "jerry.lin" Date: Thu, 8 Jun 2023 10:38:43 +0800 Subject: [PATCH 2/2] github actions --- .../{docker.yaml => docker-build.yaml} | 32 ++++++-------- .github/workflows/docker-scan.yaml | 42 +++++++++++++++++++ 2 files changed, 55 insertions(+), 19 deletions(-) rename .github/workflows/{docker.yaml => docker-build.yaml} (60%) create mode 100644 .github/workflows/docker-scan.yaml diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker-build.yaml similarity index 60% rename from .github/workflows/docker.yaml rename to .github/workflows/docker-build.yaml index eeb280e..c9c14e8 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker-build.yaml @@ -1,15 +1,13 @@ -name: docker +name: docker-build on: push: tags: - 'v*' - schedule: - - cron: "0 0 * * *" env: REGISTRY: docker.io - IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: 42crunch/scand-manager jobs: docker: @@ -18,9 +16,6 @@ jobs: - name: Checkout uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 @@ -37,9 +32,6 @@ jobs: uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} - name: Build and export to Docker uses: docker/build-push-action@v4 @@ -47,21 +39,23 @@ jobs: context: . load: true tags: ${{ steps.meta.outputs.tags }} + cache-from: type=gha + cache-to: type=gha,mode=max - - name: Scan cves - id: docker-scout - uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506 + name: Scan image + id: scan + uses: Azure/container-scan@v0 with: - command: cves - image: ${{ steps.meta.outputs.tags }} - dockerhub-user: ${{ secrets.DOCKER_USERNAME }} - dockerhub-password: ${{ secrets.DOCKER_PASSWORD }} + image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + severity-threshold: CRITICAL + run-quality-checks: true - name: Build and push - if: ${{ success() && (github.event_name != 'schedule') }} + if: success() uses: docker/build-push-action@v4 with: context: . - platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/workflows/docker-scan.yaml b/.github/workflows/docker-scan.yaml new file mode 100644 index 0000000..28ab8fc --- /dev/null +++ b/.github/workflows/docker-scan.yaml @@ -0,0 +1,42 @@ +name: docker-scan + +on: + schedule: + - cron: '30 2 * * *' + +env: + REGISTRY: docker.io + IMAGE_NAME: 42crunch/scand-manager + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Scan image + id: scan + uses: Azure/container-scan@v0 + with: + image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + severity-threshold: CRITICAL + run-quality-checks: true + - + name: Send mail + if: failure() + run: | + cat < email.txt + From: No Reply + To: Security + Subject: Container Scan Report of ${{ github.repository }} + Date: $(date) + + $(cat ${{ steps.scan.outputs.scan-report-path }}) + $(cat ${{ steps.scan.outputs.check-run-url }}) + EOF + + curl \ + --ssl-reqd smtp://smtp.gmail.com \ + --mail-from no-reply@42crunch.com \ + --mail-rcpt security@42crunch.com \ + --upload-file email.txt \ + --user ${{ secrets.MAIL_USERNAME }}:${{ secrets.MAIL_PASSWORD }}